comment on

I was also happy enough with the last part, namely installing CPAN modules more securely via cpanm's --verify option, which verifies the integrity of distribution files retrieved from CPAN using CHECKSUMS file and SIGNATURES file (if found in the distribution).

About last year I built perl for a specific project. During installation of packages via CPAN the package I looked into the the signature/verification thing. The effort seemed like a fucking security theater ...

not all the modules had the signatures;
some were still using old, apparently expired, PAUSE GPG key;
I did not have the luxury to omit the offending packages as they were required in some way, nor did I have the facility to write the replacements.

The packages missing the signatures (or using old PAUSE keys) remaining in CPAN the archive undermine the whole process. They ought to be evicted, or updated/replaced with a version with signatures (along with updated PAUSE keys). Have not installed anything from CPAN for myself (but OSen sure do install software on machines that I use😬).

See also ...

c 2021 Addressing CPAN vulnerabilities related to checksums by Neil B;
c 2022 Key Not Certified in CPAN -- "solved" by turning off signature verification🙄🫠

Please do tell me (truthfully) that the above is out of date (all the packages have valid signatures & checksums; all use currently active PAUSE keys; packages are downloaded over "https"/secure connection).

In reply to Re: Building Perl and CPAN Modules Securely from Source by parv
in thread Building Perl and CPAN Modules Securely from Source by eyepopslikeamosquito

Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!

Titles consisting of a single word are discouraged, and in most cases are disallowed outright.

Read Where should I post X? if you're not absolutely sure you're posting in the right place.

Please read these before you post! —

Posts may use any of the Perl Monks Approved HTML tags:

a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr

You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)

	For:		Use:
	&		`&`
	<		`<`
	>		`>`
	[		`[`
	]		`]`

Link using PerlMonks shortcuts! What shortcuts can I use for linking?

See Writeup Formatting Tips and other pages linked from there for more info.